[Openswan dev] Working KLIPS, but but with a few minor issues
David McCullough
david_mccullough at mcafee.com
Wed Apr 14 07:15:16 EDT 2010
Jivin Harald Jenny lays it down ...
> Hi David,
>
> can't confirm attached patch fixes problem, sorry...
Thats ok, it fixed it for me, at least with the simple test I gave it.
Thanks,
Davidm
> On Wed, Apr 14, 2010 at 11:44:35AM +1000, David McCullough wrote:
> >
> > Jivin Ruben Laban lays it down ...
> > > Hello list,
> > >
> > > Latest git has a working KLIPS stack again:
> > > * Compiles fine
> > > * Loads fine
> > > * En/Decrypts fine
> > > * Unloads fine
> > > * etc
> > >
> > > However, I did notice a few minor issues:
> > > * Bringing down/replacing a tunnel isn't "clean":
> > >
> > > # ipsec auto --down tunnel2
> > > 003 "tunnel2" #14: building of pfkey_msg_hdr flow eroute_connection replace with shunt failed, code -22
> >
> > Ok, should have looked harder when I found the other one.
> > I think the attached patch should fix it, haven't had a chance to try it
> > yet though,
> >
> > Cheers,
> > Davidm
> >
> > > Replace:
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2": deleting connection
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #12: deleting state (STATE_MAIN_I4)
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: deleting state (STATE_QUICK_I2)
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_lib_debug:pfkey_msg_parse: satype 1 conversion to proto failed for msg_type 14 (x-addflow(eroute)).
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_lib_debug:pfkey_msg_build: Trouble parsing newly built pfkey message, error=-22.
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: "tunnel2" #8: pfkey_msg_build of flow eroute_connection replace with shunt failed, code -22
> > > Apr 13 20:27:39 vn-t-fw01 pluto[4667]: added connection description "tunnel2"
> > >
> > > Down:
> > > Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2": terminating SAs using this connection
> > > Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: deleting state (STATE_QUICK_I2)
> > > Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: pfkey_lib_debug:pfkey_msg_hdr_build: satype 88 > max 9
> > > Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #14: building of pfkey_msg_hdr flow eroute_connection replace with shunt failed, code -22
> > > Apr 13 20:28:17 vn-t-fw01 pluto[4667]: "tunnel2" #13: deleting state (STATE_MAIN_I4)
> > >
> > > * The use of leftsourceip= generates an error in the log, but does work at advertized (as far as I could see):
> > >
> > > Apr 13 20:36:30 vn-t-fw01 pluto[5197]: "tunnel2" #2: up-client output: /usr/local/lib/ipsec/_updown.klips: changesource `ip route change 172.16.1.0/24 dev ipsec0 src 172.16.4.11' failed (RTNETLINK answers: No such file or directory)
> > >
> > > * While running some tests during this email I got this one, --replace followed by --up:
> > >
> > > # ipsec auto --up tunnel2
> > > 104 "tunnel2" #15: STATE_MAIN_I1: initiate
> > > 003 "tunnel2" #15: received Vendor ID payload [Openswan (this version) 2.6.master-201015.git ]
> > > 003 "tunnel2" #15: received Vendor ID payload [Dead Peer Detection]
> > > 106 "tunnel2" #15: STATE_MAIN_I2: sent MI2, expecting MR2
> > > 108 "tunnel2" #15: STATE_MAIN_I3: sent MI3, expecting MR3
> > > 003 "tunnel2" #15: received Vendor ID payload [CAN-IKEv2]
> > > 004 "tunnel2" #15: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
> > > 117 "tunnel2" #16: STATE_QUICK_I1: initiate
> > > 003 ERROR: "tunnel2" #16: pfkey write() of K_SADB_X_ADDFLOW message 71 for flow tun.100b at 172.16.2.10 failed. Errno 17: File exists
> > > 032 "tunnel2" #16: STATE_QUICK_I1: internal error
> > >
> > > In log:
> > > Apr 13 20:33:52 vn-t-fw01 pluto[4667]: added connection description "tunnel2"
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: initiating Main Mode
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [Openswan (this version) 2.6.master-201015.git ]
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [Dead Peer Detection]
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I2: sent MI2, expecting MR2
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> > > Apr 13 20:33:55 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I3: sent MI3, expecting MR3
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: received Vendor ID payload [CAN-IKEv2]
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: Main mode peer ID is ID_IPV4_ADDR: '172.16.2.10'
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #15: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: "tunnel2" #16: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#15 msgid:e4021180 proposal=3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160
> > > pfsgroup=OAKLEY_GROUP_MODP1536}
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: ERROR: "tunnel2" #16: pfkey write() of K_SADB_X_ADDFLOW message 71 for flow tun.100b at 172.16.2.10 failed. Errno 17: File exists
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 02 0e 00 09 17 00 00 00 47 00 00 00 3b 12 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 03 00 01 00 00 00 10 0b 00 00 00 00 00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 00 00 00 00 00 00 00 00 03 00 05 00 00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 02 00 00 00 ac 10 03 15 00 00 00 00 00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 03 00 06 00 00 00 00 00 02 00 00 00 ac 10 02 0a
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 00 00 00 00 00 00 00 00 03 00 15 00 00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 02 00 00 00 ac 10 04 00 00 00 00 00 00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 03 00 16 00 00 00 00 00 02 00 00 00 ac 10 01 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 00 00 00 00 00 00 00 00 03 00 17 00 00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 02 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 03 00 18 00 00 00 00 00 02 00 00 00 ff ff ff 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | 00 00 00 00 00 00 00 00
> > > Apr 13 20:33:56 vn-t-fw01 pluto[4667]: | raw_eroute result=0
> > >
> > > This is the configuration I used for these test:
> > >
> > > (Local is right in this case, using identical config on both end, except for protostack=, remote is netkey)
> > > (Kernel used on this particular instance is a 2.6.24 based Ubuntu kernel)
> > >
> > > # /etc/ipsec.conf - Openswan IPsec configuration file
> > > # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
> > >
> > > # This file: /usr/share/doc/openswan/ipsec.conf-sample
> > > #
> > > # Manual: ipsec.conf.5
> > >
> > >
> > > version 2.0 # conforms to second version of ipsec.conf specification
> > >
> > > # basic configuration
> > > config setup
> > > # Do not set debug options to debug configuration issues!
> > > # plutodebug / klipsdebug = "all", "none" or a combation from below:
> > > # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
> > > # eg:
> > > # plutodebug="control parsing"
> > > #
> > > # enable to get logs per-peer
> > > # plutoopts="--perpeerlog"
> > > #
> > > # Again: only enable plutodebug or klipsdebug when asked by a developer
> > > #
> > > # NAT-TRAVERSAL support, see README.NAT-Traversal
> > > nat_traversal=yes
> > > # exclude networks used on server side by adding %v4:!a.b.c.0/24
> > > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> > > # OE is now off by default. Uncomment and change to on, to enable.
> > > oe=off
> > > # which IPsec stack to use. netkey,klips,mast,auto or none
> > > protostack=klips
> > > #protostack=mast
> > > #protostack=netkey
> > > dumpdir=/tmp
> > >
> > >
> > > # Add connections here
> > >
> > > # sample VPN connection
> > > # for more examples, see /etc/ipsec.d/examples/
> > > #conn sample
> > > # # Left security gateway, subnet behind it, nexthop toward right.
> > > # left=10.0.0.1
> > > # leftsubnet=172.16.0.0/24
> > > # leftnexthop=10.22.33.44
> > > # # Right security gateway, subnet behind it, nexthop toward left.
> > > # right=10.12.12.1
> > > # rightsubnet=192.168.0.0/24
> > > # rightnexthop=10.101.102.103
> > > # # To authorize this connection, but not actually start it,
> > > # # at startup, uncomment this.
> > > # #auto=start
> > > conn tunnel2
> > > left=172.16.2.10
> > > leftsubnet=172.16.1.0/24
> > > leftnexthop=172.16.2.20
> > > leftsourceip=172.16.1.20
> > > leftrsasigkey=0sAQN9...
> > > right=172.16.3.21
> > > rightsubnet=172.16.4.0/24
> > > rightnexthop=172.16.3.10
> > > rightsourceip=172.16.4.11
> > > rightrsasigkey=0sAQOq...
> > > ike=3des
> > > phase2alg=3des
> > > auto=add
> > >
> > > --
> > > Regards,
> > >
> > > Ruben Laban
> > > Senior Systems and Network Administrator
> > > ISM eCompany
> > > _______________________________________________
> > > Dev mailing list
> > > Dev at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/dev
> > >
> > >
> >
> > --
> > David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
> > McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org
>
> > diff --git a/programs/pluto/kernel_pfkey.c b/programs/pluto/kernel_pfkey.c
> > index bc73c0d..2f0a353 100644
> > --- a/programs/pluto/kernel_pfkey.c
> > +++ b/programs/pluto/kernel_pfkey.c
> > @@ -1253,7 +1253,7 @@ pfkey_shunt_eroute(struct connection *c
> > , htonl(spi)
> > , SA_INT
> > , 0 /* transport_proto is not relevant */
> > - , SADB_X_SATYPE_INT, null_proto_info
> > + , ET_INT, null_proto_info
> > , 0 /* use lifetime */
> > , inop
> > , opname);
> > @@ -1279,7 +1279,7 @@ pfkey_shunt_eroute(struct connection *c
> > , htonl(spi)
> > , SA_INT
> > , sr->this.protocol
> > - , K_SADB_X_SATYPE_INT
> > + , ET_INT
> > , null_proto_info, 0, op, buf2);
> > }
> > }
> > diff --git a/programs/pluto/kernel_pfkey.h b/programs/pluto/kernel_pfkey.h
> > index 4a87414..f92438f 100644
> > --- a/programs/pluto/kernel_pfkey.h
> > +++ b/programs/pluto/kernel_pfkey.h
> > @@ -42,7 +42,7 @@ extern bool pfkey_raw_eroute(const ip_address *this_host
> > , ipsec_spi_t spi
> > , unsigned int proto UNUSED
> > , unsigned int transport_proto
> > - , unsigned int satype
> > + , enum eroute_type esatype
> > , const struct pfkey_proto_info *proto_info UNUSED
> > , time_t use_lifetime UNUSED
> > , enum pluto_sadb_operations op
>
> > _______________________________________________
> > Dev mailing list
> > Dev at openswan.org
> > http://lists.openswan.org/mailman/listinfo/dev
>
>
>
--
David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org
More information about the Dev
mailing list